Hello, Thank you for your bug report. The patch can't be applied as it is, because on GNU there are no restrictions on the file name length, the original code was broken twice.
I attached a version that uses a dinamically allocated buffer, ok to push? Cheers, Giuseppe 王智通 <[email protected]> writes: > Dear, all: > > I download gnu telnet code from > http://ftp.gnu.org/gnu/inetutils/inetutils-1.7.tar.gz. In the telnet code in > commands.c, > I found this function has a local buffer overflow bug, see: > > Commands.c: > > static char *rcname = 0; > static char rcbuf[128]; > > static void > cmdrc (char *m1, char *m2) > { > if (rcname == 0) > { > rcname = getenv ("HOME"); // when the getenv() get the HOME environment > value, It not test the length of the value, and then copy it to the rcbuf. If > the length is too long(>128), it will cause a buffer overflow. > if (rcname) > strcpy (rcbuf, rcname); > else > rcbuf[0] = '\0'; > strcat (rcbuf, "/.telnetrc"); > rcname = rcbuf; > } > > You can test it with: > > Export > HOME=”aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa” > > ./telnet localhost 22 > > My terminal has crashed. > > And my patch is: > > diff -Nur inetutils-1.7/telnet/commands.c inetutils-1.7-new/telnet/commands.c > --- inetutils-1.7/telnet/commands.c 2009-12-14 19:36:17.000000000 +0800 > +++ inetutils-1.7-new/telnet/commands.c 2009-12-27 19:02:44.000000000 +0800 > @@ -3029,6 +3029,8 @@ > if (rcname == 0) > { > rcname = getenv ("HOME"); > + if (strlen(rcname) > 128) > + return ; > if (rcname) > strcpy (rcbuf, rcname); > else >From db9cb96d650cc9583f7347ba1102713cb7b46c16 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano <[email protected]> Date: Mon, 28 Dec 2009 00:45:49 +0100 Subject: [PATCH] Fix a buffer overflow in telnet when $HOME is longer than 128 bytes --- ChangeLog | 7 +++++++ bootstrap.conf | 1 + lib/.gitignore | 5 +++++ telnet/commands.c | 14 +++++++------- 4 files changed, 20 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index bcb67d6..9b70c2a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2009-12-28 Giuseppe Scrivano <[email protected]> + Reported by: Zhitong Wangzt <[email protected]> + + * bootstrap.conf (gnulib_modules): Add `xvasprintf'. + * telnet/commands.c (cmdrc): Alloc `rcname' dinamically. + (rcbuf): Remove. + 2009-12-19 Alfred M. Szmidt <[email protected]> * configure.ac: Bump version number to 1.7.90. diff --git a/bootstrap.conf b/bootstrap.conf index ba67bc6..43e7a0c 100644 --- a/bootstrap.conf +++ b/bootstrap.conf @@ -78,6 +78,7 @@ xgetcwd xgetdomainname xgethostname xsize +xvasprintf " # Read local configuration file diff --git a/lib/.gitignore b/lib/.gitignore index c76a7a5..c47b0b9 100644 --- a/lib/.gitignore +++ b/lib/.gitignore @@ -18,6 +18,7 @@ argp-version-etc.h argp-xinl.c argp.h asnprintf.c +asprintf.c at-func.c basename-lgpl.c basename.c @@ -225,6 +226,7 @@ unlinkat.c unlocked-io.h vasnprintf.c vasnprintf.h +vasprintf.c verify.h version-etc-fsf.c version-etc.c @@ -238,6 +240,7 @@ wctype.h wctype.in.h xalloc-die.c xalloc.h +xasprintf.c xgetcwd.c xgetcwd.h xgetdomainname.c @@ -248,3 +251,5 @@ xmalloc.c xsize.h xstrndup.c xstrndup.h +xvasprintf.c +xvasprintf.h diff --git a/telnet/commands.c b/telnet/commands.c index aeb684a..8ac6758 100644 --- a/telnet/commands.c +++ b/telnet/commands.c @@ -97,6 +97,9 @@ #include "defines.h" #include "types.h" +#include "xalloc.h" +#include "xvasprintf.h" + #if !defined(CRAY) && !defined(sysV88) # ifdef HAVE_NETINET_IN_SYSTM_H # include <netinet/in_systm.h> @@ -3008,7 +3011,6 @@ help (int argc, char *argv[]) } static char *rcname = 0; -static char rcbuf[128]; static void cmdrc (char *m1, char *m2) @@ -3028,13 +3030,11 @@ cmdrc (char *m1, char *m2) if (rcname == 0) { - rcname = getenv ("HOME"); - if (rcname) - strcpy (rcbuf, rcname); + const char *home = getenv ("HOME"); + if (home) + rcname = xasprintf ("%s/.telnetrc", home); else - rcbuf[0] = '\0'; - strcat (rcbuf, "/.telnetrc"); - rcname = rcbuf; + rcname = xstrdup ("/.telnetrc"); } if ((rcfile = fopen (rcname, "r")) == 0) -- 1.6.5
